Girl Geekette

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that Opens in this window):

ADS test using Windows XP

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 8/23/2001 8:00AM and the size is 112KB.

Alternate Data Streams WinXP Image 1

Here is a listing in DOS that shows the directory with the copied calc.exe file.

Alternate Data Streams WinXP Image 2

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

I was thumbing through my website and checking the theme, working on come CSS when I happened to look at my logs. It seemed every time I clicked on a post to check some alignments of the theme, that there was another entry right under mine - from a different IP address. The 2nd time I noticed it, I figured that maybe it was a coincidence and someone happened to click on the post the same time I did. The third and fourth time it happened, I had to wonder. Below is a copy and paste from my logs. The 192 address is mine, but look at the log entries right below mine:

While searching around, I happen to run across something that caught my eye. It deals with Microsoft’s NTFS and security. ADS 0r Alternate Data Streams - was originally created to provide compatibility with HFS (Macintosh Hierarchical File System).

Although widely unknown by most that ADS even exists, it is has been used by sometime by people to exploit Windows Boxes that use NTFS. Not all anti-virus programs will pick up alternate data streams. It is easy to exploit the ADS and let it go undetected for some time. Although with technology getting better, some anti-virus scanners are now picking up the ADS when changes have been made to the default configuration.

Security Focus has a demonstration of how this is used by rooting or exploiting a lab box using the MS04–011 vulnerability. The Metaspoilt Framework can allow someone to break into a computer via the lsass overflow.

Hacking is not a bad thing. Hacking is a good thing! It is about learning, not being malicious. Learn what hacking is all about, and realize no one can teach you! Hacking IS about learning. you teach yourself by hacking.. hacking to learn more. The more you learn about computers, how they work, what they do, how they do it, the more you are computer hacking. And then, you take that knowledge and learn to apply it in future scenarios. In the end, you’ll ask more questions, find more answers, and learn more. You are hacking to learn.. not learning to hack.